The pfSense Store

Author Topic: OpenVPN peer to peer - connects but won't pass traffic  (Read 152 times)

0 Members and 1 Guest are viewing this topic.

Offline mclaborn

  • Newbie
  • *
  • Posts: 22
  • Karma: +1/-0
    • View Profile
OpenVPN peer to peer - connects but won't pass traffic
« on: November 13, 2017, 11:02:26 am »
Site A - OpenVPN server
pfSense 2.4.1
Open VPN server running on port 1195
Has 3 WAN interfaces. I'm trying to get the VPN running on WAN1.

Site B - OpenVPN client
pfSense 2.3.4

I've tripled checked the OpenVPN settings between client and server and they match. The status page indicates that the VPN is connected, but I am unable from a computer on the B network to ping anything on the A network. A computer on the B network can ping both sides of the private VPN network (10.0.27.1 and 10.0.27.2). I can ping from the pfSense B to various addresses on the A network.

B has an allow all firewall rule on the Open VPN tab.

A has an allow all firewall rule on the Open VPN tab.
A has an allow all firewall rule for port 1195 on the WAN1 tab. I've tried the destination as both "any" and "this firewall" with the same results.
A has an outbound NAT rule -
Interface:WAN1
Source: B's network/24
Source Port: *
Destination: *
Destination Port: *
NAT Address: WAN1 address
NAT Port: *

There are other Outbound NAT rules for B's network/24 but they are for specific addresses (both pfSense boxes). These allow me to connect to the pfSense boxes when using IPSec VPN.

Any ideas on what I'm doing wrong?  I suspect the NAT rule - mostly because I've never been quite able to wrap my mind around how those work.
Mitch

Offline viragomann

  • Hero Member
  • *****
  • Posts: 2487
  • Karma: +264/-1
    • View Profile
Re: OpenVPN peer to peer - connects but won't pass traffic
« Reply #1 on: November 13, 2017, 03:45:19 pm »
but I am unable from a computer on the B network to ping anything on the A network. A computer on the B network can ping both sides of the private VPN network (10.0.27.1 and 10.0.27.2). I can ping from the pfSense B to various addresses on the A network.
That seems that the site B pfSense isn't the default gateway in the site B network. If it isn't you need a static route for the site A network on each device at site B you want to access or you do NAT on the VPN.

A has an outbound NAT rule -
Interface:WAN1
Source: B's network/24
Source Port: *
Destination: *
Destination Port: *
NAT Address: WAN1 address
NAT Port: *
That rule only makes sense for accessing the internet from site B over the VPN. Don't know if that's what you want.

Offline mclaborn

  • Newbie
  • *
  • Posts: 22
  • Karma: +1/-0
    • View Profile
Re: OpenVPN peer to peer - connects but won't pass traffic
« Reply #2 on: November 14, 2017, 09:47:48 am »
Here is the routing table for my computer on the B network.

Code: [Select]
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.5.1     0.0.0.0         UG    100    0        0 eno1
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eno1
172.16.52.0     0.0.0.0         255.255.255.0   U     0      0        0 vmnet1
172.16.150.0    0.0.0.0         255.255.255.0   U     0      0        0 vmnet8
192.168.5.0     0.0.0.0         255.255.255.0   U     100    0        0 eno1
The B network is 192.168.5.0/24 with the gateway as .1.

As far as I can tell, the routes on the B pfSense are correct:

Code: [Select]
Destination Gateway Flags Use Mtu Netif Expire
default 47.186.30.1 UGS 6287086 1500 em0
10.0.27.1 link#8 UH 5 1500 ovpnc2
10.0.27.2 link#8 UHS 0 16384 lo0
10.1.16.0/24 10.1.16.2 UGS 0 1500 ovpns1
10.1.16.1 link#7 UHS 0 16384 lo0
10.1.16.2 link#7 UH 1544773 1500 ovpns1
47.186.30.0/24 link#1 U 1356533 1500 em0
47.186.30.3 link#1 UHS 0 16384 lo0
67.232.254.142 47.186.30.1 UGHS 126810 1500 em0
127.0.0.1 link#6 UH 197111 16384 lo0
172.16.0.0/24 10.0.27.1 UGS 181240 1500 ovpnc2
192.168.5.0/24 link#2 U 4555834 1500 em1
192.168.5.1 link#2 UHS 0 16384 lo0
207.177.38.109 47.186.30.1 UGHS 162037 1500 em0

The A network is 172.16.0.0/24.
Mitch

Offline mclaborn

  • Newbie
  • *
  • Posts: 22
  • Karma: +1/-0
    • View Profile
Re: OpenVPN peer to peer - connects but won't pass traffic
« Reply #3 on: November 14, 2017, 09:59:04 am »
That rule only makes sense for accessing the internet from site B over the VPN. Don't know if that's what you want.

I don't really need to access the outside world over the VPN.  I disabled all the outbound NAT rules for B's network, but it didn't help.
Mitch

Offline mclaborn

  • Newbie
  • *
  • Posts: 22
  • Karma: +1/-0
    • View Profile
Re: OpenVPN peer to peer - connects but won't pass traffic
« Reply #4 on: November 14, 2017, 10:03:23 am »
Traceroute from my computer on the B network below. Looks like the routing is correct, but something is not passing the traffic?

Code: [Select]
traceroute -n 172.16.0.212
traceroute to 172.16.0.212 (172.16.0.212), 30 hops max, 60 byte packets
 1  192.168.5.1  0.453 ms  0.440 ms  0.560 ms
 2  10.0.27.1  30.880 ms  30.886 ms  30.879 ms
 3  * * *
 4  * * *
Mitch

Offline viragomann

  • Hero Member
  • *****
  • Posts: 2487
  • Karma: +264/-1
    • View Profile
Re: OpenVPN peer to peer - connects but won't pass traffic
« Reply #5 on: November 14, 2017, 10:28:18 am »
Do you run multiple OpenVPN instances on one site, either server or client?

Offline mclaborn

  • Newbie
  • *
  • Posts: 22
  • Karma: +1/-0
    • View Profile
Re: OpenVPN peer to peer - connects but won't pass traffic
« Reply #6 on: November 14, 2017, 10:41:06 am »
Do you run multiple OpenVPN instances on one site, either server or client?

Yes, the server side (A) has another Open VPN instance on port 1194 for single users rather than peer to peer. I've been using that one to connect to network A since 2.4 messed up our IPSec VPNs.

The client pfSense (B) also runs an Open VPN instance for single users on port 1194.
Mitch

Offline viragomann

  • Hero Member
  • *****
  • Posts: 2487
  • Karma: +264/-1
    • View Profile
Re: OpenVPN peer to peer - connects but won't pass traffic
« Reply #7 on: November 14, 2017, 11:01:28 am »
So you should assign an interface to each OpenVPN instance. Have you done this?

Offline mclaborn

  • Newbie
  • *
  • Posts: 22
  • Karma: +1/-0
    • View Profile
Re: OpenVPN peer to peer - connects but won't pass traffic
« Reply #8 on: November 15, 2017, 04:36:34 pm »
So you should assign an interface to each OpenVPN instance. Have you done this?

I'm sure my ignorance will show, but I'm not quite sure what you mean. Are you saying that each OpenVPN server instance needs to be assigned to a different interface on the pfSense, even though they are listening on different ports?
Mitch

Offline viragomann

  • Hero Member
  • *****
  • Posts: 2487
  • Karma: +264/-1
    • View Profile
Re: OpenVPN peer to peer - connects but won't pass traffic
« Reply #9 on: November 15, 2017, 05:37:11 pm »
No, you miss-understood. An interface has to be assigned to the VPN instance.
Interfaces > assign.

At "available network ports" select the vpn instance (ovpnc1, ovpns1) and hit add, then click the new interface, enable it and set an appropriate name, no further settings to be made.
After that you should move the needed firewall rules to the new interfaces. "OpenVPN" is handled as interface group containing all OpenVPN instances. Rules on that tab effects all OpenVPN instances.

Offline mclaborn

  • Newbie
  • *
  • Posts: 22
  • Karma: +1/-0
    • View Profile
Re: OpenVPN peer to peer - connects but won't pass traffic
« Reply #10 on: Yesterday at 09:52:22 am »
I must still be missing something.

I assigned the interfaces as you suggested, on both the server and client sides. On the server side, ovpns1 is assigned to OPT5 for the original server that is used by various individuals. ovpns2 is assigned to OPT6 for the new peer-to-peer that is not yet working.

On the client side, ovpns1 is assigned to OPT1 for the server running there - I use this from my computer when traveling. ovpnc2 is assigned to OPT2 - the other side of the peer-to-peer that is not yet working. 

Both client and server have an allow all rule for IPV4 on the OpenVPN tab.

The VPN shows connected on both sides.

I can still ping from the client pfSense to addresses on the server network if I use "Open VPN Client (perr-to-peer)" as the source address. I think this means that traffic can pass from the client pfSense over the VPN tunnel.

The routes on the client pfSense appear to me to be correct, as do the routes on the computers on the client network.
Mitch

Offline viragomann

  • Hero Member
  • *****
  • Posts: 2487
  • Karma: +264/-1
    • View Profile
Re: OpenVPN peer to peer - connects but won't pass traffic
« Reply #11 on: Yesterday at 11:50:00 am »
I can still ping from the client pfSense to addresses on the server network if I use "Open VPN Client (perr-to-peer)" as the source address. I think this means that traffic can pass from the client pfSense over the VPN tunnel.
And if you select the LAN address here it's not working?

Offline mclaborn

  • Newbie
  • *
  • Posts: 22
  • Karma: +1/-0
    • View Profile
Re: OpenVPN peer to peer - connects but won't pass traffic
« Reply #12 on: Yesterday at 08:15:36 pm »
Correct.  I can ping (from pfSense) addresses on the server network from "Open VPN Client" but cannot ping from LAN.

The routes look correct as far as I can tell (see attached). There is a an allow all rule from the LAN network to any.
Mitch